Cyb3rSn0rlax
Social MediaGitHub
  • About Cyb3rSn0rlax
  • 🛡️ SOC Engineering
  • 🧞Building an Open SIEM From Scratch
    • 1. Introduction to Elastic Stack
      • a. Installing and configuring Elasticsearch
      • b. Installing and configuring Kibana
      • c. Installing and configuring Logstash
    • 2. Installing OpenDistro for Elasticsearch Plugins
    • 3. Installing ElastAlert
    • 4. ELK Stack: "L" is for Lord of the Stack
      • a- Event Parsing: Pipelines
      • b - Event Parsing : From Beats to Logstash
      • c- Event Normalization with ECS
    • 5. Alerting in ELK
    • 6. Building Detection Rules
    • 7. Metrics Reports & Dashboards
  • 🛡️A Primer to Detection Engineering Dimensions in a SOC Universe
    • Operationalization
    • Execution
    • Analytics
  • 😺GitHub Projects
    • ELK4QRadar
    • Automating ELK Health Check
  • 💾DFIR
    • DFIR-01 : $MFT
    • DFIR-02 : Journal Forensics
    • DFIR-03: RDP Authentication Artifacts
  • ☢️ DEATH : Detection Engineering And Threat Hunting
    • 🔑TA0006 : Credential Access
      • Detecting Remote Credentials Dumping via comsvcs.dll
    • 🦘TA0008 : Lateral Movement
      • Detecting Lateral Movement via Service Configuration Manager
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
  • 🔎Misc
    • Infosec Game-Sense
Powered by GitBook
On this page
  • NTFS Journaling (Transaction Logging)
  • NTFS change tracking journals :
  • $UsnJrnl:
  • $LogFile:
  • Tools
  • Tutorial
  1. DFIR

DFIR-02 : Journal Forensics

Using $LogFile and $UsnJrnl during digital investigations

PreviousDFIR-01 : $MFTNextDFIR-03: RDP Authentication Artifacts

Last updated 4 years ago

NTFS Journaling (Transaction Logging)

Windows NTFS uses a journaling technique that records a sequence of file changes in the $LogFile. Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when:

  • Creating a file

  • Deleting a file

  • Extending a file

  • Truncating a file

  • Setting file information

  • Renaming a file

  • Change the security applied to a file

The previously analyzed $MFT file keeps a $LogFile Transaction entry at offset 08 to 15 and this is how MFT correlates with other metadata attributes in the NTFS file system.

From a forensics' perspective these records are valuable when it comes to creating a timeline of transactions.

NTFS change tracking journals :

$UsnJrnl:

  • Tracks file and directories changed on the system via the USN (Update Sequence Number) journal.

  • Available in the root directory under $Extend folder.

  • Contains two ADS (alternate data stream) :

    • $Max : Where the meta data of change log is stored

    • $J : Where the actual change log records are stored.

$LogFile:

  • Track changes to MFT metadata.

  • Available at the root directory.

Tools

In order to parse these journals here are some great free tools :

Tutorial

Here is a great video by on how to parse and use these journals :

💾
UsnJrnl2Csv
Triforce ANJP
KAPE
@13cubed
$MFT $LogFile Transaction Entry